view counter

GridU.S. grid vulnerable to cyber, physical attacks

Published 1 April 2015

The U.S. electric grid remains vulnerable to cyber and physical attacks, putting millions of households at risk from outages that could last a few days or weeks. Attacks on the grid occur once every four days, and though no great harm has been caused, some experts are warning that the series of small-scale incidents may point to broader security problems. “It’s one of those things: One is too many, so that’s why we have to pay attention,” says one expert. “The threats continue to evolve, and we have to continue to evolve as well.”

The U.S. electric grid remains vulnerable to cyber and physical attacks, putting millions of households at risk from outages that could last a few days or weeks.

The grid operates as an interdependent network, so the failure of any one element requires energy to be drawn from other areas. When multiple parts of the grid fail simultaneously, a cascading effect could leave entire regions without power. ATMs, cellphones, traffic lights could cease to function, while heating, air conditioning, and health care systems would exhaust their backup power supplies. Attacks on the grid occur once every four days, and though no great harm has been caused, some experts are warning that the series of small-scale incidents may point to broader security problems.

It’s one of those things: One is too many, so that’s why we have to pay attention,” said Federal Energy Regulatory Commission (FERC) chairman Cheryl LaFleur. “The threats continue to evolve, and we have to continue to evolve as well.”

USA TODAY reports that substation transformers and other critical power equipment are often exposed, protected only by chain-link fencing and a few security cameras. An April 2013 attack on Pacific Gas & Electric’s (PG&E) Metcalf substation in northern California caused more than $15 million in damage, though no power was lost. The attackers severed six underground fiber-optic lines then fired more than 100 rounds of ammunition at the substation’s transformers. Last year, PG&E senior director of substations Ken Wells called the attack “a game changer.” “No doubt about it, …this event caused us and the entire industry to take a new and closer look at our critical facilities and what we can do to protect them,” Wells said.

Following the Metclaf attack, the industry-funded North American Electric Reliability Corporation (NERC), upon FERC orders, released in November 2014 new rules for physical security. The rules require utilities to identify vulnerable critical infrastructure and establish security plans. Critics say the new policy fails to give FERC authority to approve which facilities and equipment are critical, leaving the decisions to the industry. The lack of authority for FERC “could be a loophole that could miss some aspects of the utility infrastructure that are critical,” said former FERC chairman Jon Wellinghoff.

Further fueling the criticism, between 2011 and 2014, electric utilities reported to the U.S. Department of Energy 348 physical attacks and fourteen cyberattacks (an additional 151 “cyber incidents” related to the energy industry was reported to the DHS cyberthreat monitoring team in 2013, up from 111 in 2012 and thirty-one in 2011), but suspects have not been identified in connection with many of the attacks. Even the number of security penalties the NERC issued has decreased by 30 percent from 1,230 in 2013 to 860 in 2014. NERC president and CEO Gerry Cauley said decreasing penalties reflect increased compliance, rather than decreasing enforcement. “Longer term, you expect people to get the message and make the adjustments to keep improving,” he said. “It’s not because we’re being nicer.”

The NERC and other industry funded groups including the Edison Electric Institute, have fought legislation aimed at eliminating the industry’s self-regulation. Cauley said the industry’s technical expertise is critical to ensuring reliability of the grid and attempts to lessen the industry’s oversight would be “detrimental.”

The people who run and manage and design the system have to be at the table there to figure out how it should work,” he said. “We wouldn’t want to lose that. I think we would actually take a step backward if we did that.”